U.S. Senator Ron Wyden has formally urged the Federal Trade Commission (FTC) to investigate Microsoft, citing what he describes as “gross cybersecurity negligence” that has facilitated ransomware attacks on critical U.S. infrastructure, particularly within healthcare systems. In a detailed four-page letter addressed to FTC Chairman Andrew Ferguson, Wyden expressed concerns that Microsoft’s lax cybersecurity practices, coupled with its dominant position in the enterprise operating system market, pose a significant national security risk. He likened the situation to an “arsonist selling firefighting services to their victims.”
This call for scrutiny follows revelations from Wyden’s office regarding a ransomware attack on the healthcare provider Ascension, which occurred last year. This incident resulted in the theft of personal and medical information belonging to approximately 5.6 million individuals, alongside disruptions to electronic health records. The attack was attributed to the ransomware group Black Basta and has been classified as the third-largest healthcare-related breach in the past year by the U.S. Department of Health and Human Services.
According to information from the senator’s office, the breach was initiated when a contractor inadvertently clicked on a malicious link while using Microsoft’s Bing search engine, leading to a malware infection. The attackers subsequently exploited “dangerously insecure default settings” within Microsoft software to gain elevated access to Ascension’s sensitive network components. This included the use of a technique known as Kerberoasting, which targets the Kerberos authentication protocol to extract encrypted service account credentials from Active Directory.
Concerns Over Insecure Encryption
Kerberoasting takes advantage of a vulnerable encryption technology from the 1980s, known as RC4, which remains supported in Microsoft’s default configurations. Wyden’s office has urged Microsoft to alert its customers about the risks associated with this outdated encryption method by July 29, 2024. RC4, originally intended as a trade secret, was publicly disclosed in 1994 and has been criticized for its various cryptographic weaknesses that allow for plaintext recovery.
In response to these vulnerabilities, Microsoft issued an alert in October 2024 detailing protective measures for users and announced plans to phase out support for RC4 in upcoming updates to Windows 11 24H2 and Windows Server 2025. The company has emphasized that accounts most susceptible to Kerberoasting are those with weak passwords and those utilizing outdated encryption algorithms like RC4, which lacks the necessary security features to protect against cyber threats.
Some of Microsoft’s recommended strategies to fortify environments against Kerberoasting include:
- Utilizing Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) whenever feasible
- Securing service accounts with randomly generated, long passwords of at least 14 characters
- Ensuring all service accounts are configured to use AES (128 and 256 bit) for Kerberos service ticket encryption
- Conducting audits of user accounts with Service Principal Names (SPNs)
However, Wyden pointed out that Microsoft’s software does not enforce a minimum password length of 14 characters for privileged accounts. He criticized the company’s continued reliance on the insecure RC4 encryption technology, arguing that it unnecessarily exposes customers to ransomware and other cyber threats by enabling attackers to crack privileged account passwords more easily.
In a statement to The Hacker News, Microsoft acknowledged the outdated nature of RC4 and expressed its discouragement of its use in both software engineering and customer documentation. The company noted that while RC4 comprises less than 0.1% of its traffic, completely disabling it could disrupt many customer systems. Microsoft is committed to gradually reducing its use while providing strong warnings and guidance for safer alternatives.
Looking ahead, Microsoft plans to disable RC4 by default for any new installations of Active Directory Domains using Windows Server 2025 starting in Q1 of 2026. This proactive measure aims to protect new domains from attacks exploiting RC4 vulnerabilities. The company also intends to implement additional safeguards for existing deployments, balancing compatibility with the need for enhanced security.
This scrutiny of Microsoft’s cybersecurity practices is not unprecedented. A report from the U.S. Cyber Safety Review Board (CSRB) last year criticized the company for a series of preventable errors that allowed Chinese threat actors, known as Storm-0558, to compromise the Microsoft Exchange Online mailboxes of numerous organizations worldwide.
Wyden’s office argues that Microsoft’s troubling cybersecurity history has not hindered its lucrative federal contracts, attributing this to its dominant market position and the inaction of government agencies in response to the company’s ongoing security failures. Ensar Seker, CISO at SOCRadar, highlighted the broader implications of this situation, emphasizing the need for a balance between legacy system support and secure-by-default design in enterprise cybersecurity.
As national security increasingly intertwines with the default configurations of dominant IT platforms, there is a growing call for enterprises and public sector agencies to demand more secure defaults and to be prepared to adapt when such options are presented.
